The following versions of Symbiont are currently supported with security updates:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security vulnerabilities seriously. If you discover a security vulnerability in Symbiont, please report it to us privately.
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please:
- Email: Send details to [email protected]
- Subject: Include "SECURITY" in the subject line
- Content: Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Any suggested fixes (if you have them)
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Assessment: We will assess the vulnerability and provide an initial response within 5 business days
- Updates: We will keep you informed of our progress throughout the process
- Resolution: We aim to resolve critical vulnerabilities within 30 days
- We follow responsible disclosure practices
- We will work with you to understand and resolve the issue before any public disclosure
- We will credit you for the discovery (unless you prefer to remain anonymous)
- We will coordinate with you on the timing of public disclosure
When using Symbiont in production:
- Keep Updated: Always use the latest supported version
- Secrets Management: Use the built-in secrets management system properly
- Sandboxing: Enable and configure appropriate sandboxing levels
- Access Control: Implement proper authentication and authorization
- Monitoring: Enable audit logging and monitor for suspicious activity
- Network Security: Run Symbiont in a properly secured network environment
Symbiont includes several security features:
- Sandboxed Execution: Isolated execution environments for agents
- Secrets Management: Encrypted storage and secure access to sensitive data
- Audit Logging: Comprehensive logging of security-relevant events
- Policy Engine: Fine-grained access control and security policies
- Signed Container Images: Docker images are signed with cosign
- Symbiont executes arbitrary code as defined in agent configurations
- Ensure proper network isolation and access controls
- Regularly review and audit agent configurations
- Monitor system resources and API usage
- Use encryption for data at rest and in transit
We maintain an internal vulnerability management process:
- Triage: Initial assessment and severity classification
- Investigation: Technical analysis and impact assessment
- Remediation: Development and testing of fixes
- Release: Security patches and coordinated disclosure
- Post-mortem: Review process improvements
- Critical: Remote code execution, privilege escalation
- High: Information disclosure, authentication bypass
- Medium: Denial of service, local privilege escalation
- Low: Information leakage, minor security issues
We monitor our dependencies for known vulnerabilities:
- Regular dependency updates
- Automated vulnerability scanning
- Review of dependency security advisories
- Prompt patching of vulnerable dependencies
For security-related questions or concerns:
- Security Email: [email protected]
- General Contact: [email protected]
- Website: https://symbiont.dev
This security policy is subject to change. Check this document regularly for updates.